Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
ISA Non web publishing problem
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
ISA Non web publishing problem - 2.May2007 12:10:05 AM
|
|
|
djcreedy
Posts: 10
Joined: 2.May2007
Status: offline
|
We are trying to configure an ISA server publishing rule for a server on our internal network.
We are using ISA 2006 Standard and using a Back-Firewall network configuration.
The server has two NICs, one of which connects into the front firewall and the other connects to the LAN.
We have an application which needs to establish a TCP 8000 session.
We create the non-web server publishing rule, designate a pre-create protocol (TCP 8000 outbound) to the rule, assigned it the destination address of the published server (Which the ISA server can see and communicate with over 8000), and set the rule to enabled. In logging we see that the traffic is not being picked up by the rule, its going to the default rule (Denied). If I create access rules to allow 8000 in and outbound from anywhere to anywhere, we see the logging pick it up “Initiated connection” then “Closed connection” , removing the access rules and just having the server publishing rules means the traffic is denied.
We can Telnet to the Published server over TCP 8000 from the ISA server.
To confirm that the application works, we have taken the ISA server out of the picture . We created an inbound port forward on our firewall and this directed traffic straight through to the server. The application works as expected when configured like this, so the application doesn't have an issue will NAT translations or port forwards.
We have tried setting the default gateway on the published server to be the ISA server however the rule still does not pick up the traffic.
We noticed that even with the server publishing rule, the ISA server isn't listening on port 8000.
We need to know why the firewall rule is not picking up traffic for the published server.
Anyone have any ideas?
|
|
|
|
|
RE: ISA Non web publishing problem - 2.May2007 1:38:57 PM
|
|
|
Rotorblade
Posts: 963
Joined: 27.Feb.2007
Status: offline
|
quote:
We create the non-web server publishing rule, designate a pre-create protocol (TCP 8000 outbound) to the rule,
Inbound would work better!
RB
HTH
|
|
|
|
|
RE: ISA Non web publishing problem - 2.May2007 7:45:52 PM
|
|
|
djcreedy
Posts: 10
Joined: 2.May2007
Status: offline
|
Cant you only assign outbound protocols to server publishing rules...
|
|
|
|
|
RE: ISA Non web publishing problem - 4.May2007 1:23:37 PM
|
|
|
Rotorblade
Posts: 963
Joined: 27.Feb.2007
Status: offline
|
If you are publishing the server using ISA, (Inside and behind the ISA firewall) you will need to use an protocol defined for "inbound" not outbound. Outbound protocols would be dinfined for use with Firewall access policies.
RB
|
|
|
|
|
RE: ISA Non web publishing problem - 6.May2007 7:46:36 PM
|
|
|
djcreedy
Posts: 10
Joined: 2.May2007
Status: offline
|
Sorry, getting our wires crossed. the inbound and outbound we are talking about is the opposite, for some reason i was talking about the only traffic i was seeing on the isa, which was outbound, it was seeing the device hitting the isa, not logging it and then seeing hte traffic leaving the isa and blocking that.
I fixed the first part of my problem, where by the ISA server having two NICs, one NICs IP range was included in the "External" network, and then i was declaring the range in internal aswell. advised by a microsoft tech to not declare the second nic's range and set my rule to listen on the external network (Im going to run into problems later with this, as i also have two HTTPS 443 rules with different certificates and different listeners, and apparently you need two different addresses to have them exist at the same time, so not declaring them is not going to work.. but ill get to that when i get to it!)
My problem now, is that i see the traffic, and it picks up the rule, forwards the traffic to the published server (Over 8000 TCP) but then the traffic coming back is on a random port (30000 ~ 40000) this isnt because the server is sending it back on that, its because the device isnt establishing a session with the published server, so the traffic coming back isnt seen as part of the traffic that came in.
Any ideas as to why it wouldnt be establishing a session?
Ive tried have the traffic as "Appear as ISA" or "appear as original client" neither makes any difference, i have a secureNAT established with the published server (Published servers default gateway is the internal facing NIC of the ISA box)
Why doesnt it establish a session?
|
|
|
|
|
RE: ISA Non web publishing problem - 6.May2007 11:25:07 PM
|
|
|
Rotorblade
Posts: 963
Joined: 27.Feb.2007
Status: offline
|
Having the Internal/External Network conflict can be a bit of a problem and glad to hear that you got that one resolved.
quote:
“My problem now, is that i see the traffic, and it picks up the rule, forwards the traffic to the published server (Over 8000 TCP) but then the traffic coming back is on a random port (30000 ~ 40000) this isn’t because the server is sending it back on that, its because the device isn’t establishing a session with the published server, so the traffic coming back isn’t seen as part of the traffic that came in.”
Is your ISA server at the perimeter or does it sit behind another firewall device? Acknowledgement will be sent back on a random port to port 8000 of the destination. This is what it should do, and I would think doing a network capture should confirm it. It sounds like its being blocked somewhere up-stream.
Not knowing more about the application you are publishing, it’s possible that you may need to modify the protocol definition and add secondary protocol definitions.
With having the Internal/External network conflict issue, would there be any possibility that something else is amiss with your setup? Such as, Internal/External NIC configurations and DNS properly configured and resolving?
RB
HTH
|
|
|
|
|
RE: ISA Non web publishing problem - 6.May2007 11:31:28 PM
|
|
|
djcreedy
Posts: 10
Joined: 2.May2007
Status: offline
|
Think i might have narrowed it down more.
A break down of what happens, we have three key componants in this, the "device" a mobile device accesses the published server, the ISA, and the published server.
Initiall connection in logging shows :
Source=Device , destination = published server (The LAN 192.x.x.x address of the published server)
The return traffic :
Source= External NIC of ISA, destination = Device.
Could it be that its establishing a session correctly, but its returning not "from" the published server, but from the ISA server, and therefor blocking the traffic?
Should it appear to come back out as from the published? see a paste from the logs below:
Device=203.202.52.80
ISA Ext NIC = 202.92.91.107
Published server= 192.168.1.48
TCP 203.202.52.80:22032 192.168.1.48:8000 203.202.52.80 External Internal Establish 0x0 Lockdown Policy 8000 -
TCP
202.92.91.107:8000 203.202.52.80:22032 202.92.91.107 Local Host External Denied 0xc004002d - Unidentified IP Traffic 192.168.1.34 TCP 202.92.91.107:8000 203.202.52.80:22032 202.92.91.107 Local Host External Denied 0xc004002d - Unidentified IP Traffic 192.168.1.34
|
|
|
|
|
RE: ISA Non web publishing problem - 6.May2007 11:32:12 PM
|
|
|
djcreedy
Posts: 10
Joined: 2.May2007
Status: offline
|
That really didnt format well.. there is three lines in the logging. each line begins with "TCP" for your reference...
|
|
|
|
|
RE: ISA Non web publishing problem - 7.May2007 11:38:55 AM
|
|
|
Rotorblade
Posts: 963
Joined: 27.Feb.2007
Status: offline
|
quote:
TCP 203.202.52.80:22032 192.168.1.48:8000 203.202.52.80 External Internal Establish 0x0 Lockdown Policy 8000 -
TCP 202.92.91.107:8000 203.202.52.80:22032 202.92.91.107 Local Host External Denied 0xc004002d - Unidentified IP Traffic 192.168.1.34
TCP 202.92.91.107:8000 203.202.52.80:22032 202.92.91.107 Local Host External Denied 0xc004002d - Unidentified IP Traffic 192.168.1.34
Ok, this helps. In the publishing rule, do you have the Local Host network included or another policy for the protcol defined with the External network included? It looks like and needs to be removed. Also, the publishing rule needs to be first in order or at the top in the Firewall Policy. If you have another policy created for the same protocol; this could cause a conflict and should be removed.
RB
|
|
|
|
|
RE: ISA Non web publishing problem - 7.May2007 5:46:43 PM
|
|
|
djcreedy
Posts: 10
Joined: 2.May2007
Status: offline
|
Ok, as it stands, there is only this publishing rule and the default rule.
the External facing NIC - 202.92.91~ Is not defined in any networks (But its defined in external for some reason?)
I had it defined in a created network "External NIC" however the reason the rule wasnt working initially was because of that, i talked to MS support and they said that i should remove my created network (External NIC) because the addresses were in external by default.
Know why it would be in external?
At the moment, there is nothing defined in localhost, there is "internal" which is the 192.168 range, which includes the address of the internal facing NIC and external which includes everything else, including the External facing Nics range.
As far as i can tell there is no way to manually change the "localhost" network object, could this be my problem. Any ideas on how i should be configuring it?
Appreciate your help so far.
Cheers
|
|
|
|
|
RE: ISA Non web publishing problem - 8.May2007 10:10:04 AM
|
|
|
Rotorblade
Posts: 963
Joined: 27.Feb.2007
Status: offline
|
Local Host object would be the ISA server itself and I would leave that alone. Removing the user-defined External was the correct thing to do.
The non-web publishing rule for the app that you created, please verify that you only have the External Network selected in the publishing rule listener.
Who is the network host using IP x.x.x.34? The log is showing unidentified IP traffic from that host so you might want to consider doing at Net-Mon capture to help identify that traffic.
Please verify that you have created a user-defined "inbound" protocol for TCP port 8000 and that it is the only one applied to the publishing rule.
RB
|
|
|
|
|
RE: ISA Non web publishing problem - 8.May2007 7:51:09 PM
|
|
|
djcreedy
Posts: 10
Joined: 2.May2007
Status: offline
|
Ok, x.x.x.34 is the address of the internal facing NIC on the ISA.
the external NIC is 202.92.91.107
192.168.1.48 is the published server.
Im sure i have more than external checked for the listener, i will correct this and confirm.
I have created the inbound 8000 prot. and its the only one assigned to the rule.
Its strange, im basically routing the traffic, as you can see, when it picks up the inbound rule, client address is the device and destination is the internal server, but coming back, the client address is not the published server, its the external facing nic. Could this be the problem? maybe its expecting to see the traffic returning to the same place and coming from the published server, and as its not coming from the published server it doesnt see that as session traffic?
|
|
|
|
|
RE: ISA Non web publishing problem - 9.May2007 1:07:25 PM
|
|
|
Rotorblade
Posts: 963
Joined: 27.Feb.2007
Status: offline
|
Ok, check the Listener binding and let me know. Try using the "Request appear to come from original client" setting in the publishing rule to see if that makes a difference.
RB
|
|
|
|
|
RE: ISA Non web publishing problem - 10.May2007 2:43:48 AM
|
|
|
djcreedy
Posts: 10
Joined: 2.May2007
Status: offline
|
Ok, listener binding set as advised, request appear from original client checked, bounced server.
Same deal.
So frustrating.
We tried just opening up the main firewall for 8000 traffic through to the server, and it works fine, but try to do it through ISA and no go.
|
|
|
|
|
RE: ISA Non web publishing problem - 11.May2007 9:38:46 AM
|
|
|
Rotorblade
Posts: 963
Joined: 27.Feb.2007
Status: offline
|
Just for clarification, your ISA is a backend firewall which is behind a main router/firewall on your network. Correct? You have a public IP assigned to the external facing NIC on the ISA. Are you using NAT on the main firewall? Assuming so and with the ISA behind the main firewall, I would think that you would be using a private IP scheme behind the main firewall. The ISA external NIC is currently configured with a public IP address. This is probably the root of your problem. It sounds like miss-configuration on the ISA external NIC. For the publishing of the app to work; you will need PAT rules configured on the main firewall to the ISA external NIC (with a properly configured IP, subnet mask and gateway to the main firewall) as well as outbound access on the main firewall from the ISA for the published app.
RB
|
|
|
|
|
RE: ISA Non web publishing problem - 16.May2007 2:53:23 AM
|
|
|
djcreedy
Posts: 10
Joined: 2.May2007
Status: offline
|
Your description is pretty much exactly the environment.
We have configured the Front firewall to allow the app.
When you say PAT rules, how should i set those up?
|
|
|
|
|
RE: ISA Non web publishing problem - 16.May2007 3:50:20 PM
|
|
|
Rotorblade
Posts: 963
Joined: 27.Feb.2007
Status: offline
|
You need to configure and MAP the App port on the FE FW to point to the ISA (BE FW) external IP address. Your listener should pick up the traffic.
RB
HTH
|
|
|
|
|
RE: ISA Non web publishing problem - 16.May2007 11:20:19 PM
|
|
|
djcreedy
Posts: 10
Joined: 2.May2007
Status: offline
|
Spoke to the network admin.
We are routing the traffic through the firewallto the externalnic of the isa, not NAT.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
